About the Project

Secure Auditing for Linux is a research project funded by the Defense
Advanced Research Projects Agency (DARPA). The project will
develop a kernel level auditing package for Red Hat Linux that
is compliant with the Common Criteria specifications (C2 level
equivalency) and provides features to protect logged information
from unauthorized modification through the use of encryption techniques.

Background

According
to the Guidance and Policy for the Department of Defense (DoD) Global Information
Grid (GIG) Information Assurance (IA) document, it is DoD policy
that the DoD defense in depth strategy will provide appropriate
degrees of protection to all computing environments (i.e. hosts
and applications).Also according to
the DoD Guidance and Policy document, GIG information systems will be
monitored in order to detect, isolate, and react to intrusions,
disruption of services, or other incidents that threaten the security
of DoD.It is also required
that there be a way to collect and retain audit data to support
forensics relating to misuse, penetration, reconstruction, or other
investigations.It is well known that
the current auditing capabilities of Linux do not satisfy C2 specifications.NSA, developing Security Enhanced
Linux, has identified auditing as an area that requires improvement.According to the GIG IA document, all GIG
information systems and networks will be certified and accredited
in accordance with the Department of Defense Information
Technology Security Certification and Accreditation Process(DITSCAP).

During a forensics investigation, law enforcement
will often rely on audit and transaction logs as a source of evidence.However, they must also be able to prove
that a malicious person has not altered those logs.Section 69 of the Police and Criminal
Evidence Act 1984 states that logs produced by a computer are not
admissible as evidence unless it can be shown that there is no reasonable
ground for believing them to be inaccurate and the computer was operating
properly during the collection of data.If
it can be shown that the logs could and may have been tampered with,
they are not admissible as evidence.Forensics
investigators can have minimum assurance on logs that maintain
date/time stamps and checksums.According
to the DoD GIG IA document, systems must “collect and retain audit
data to support forensics relating to misuse, penetration reconstruction,
or other investigations.”

From the DoD and law enforcement perspective, audit logs are not only
a necessity, but also a requirement to provide a secure open-source
operating environment.This project
will create a kernel-level auditing facility that not only monitors
all processes and records events, but also provides a way to store
the data that would allow it to be admissible in a court of law
(i.e. encrypted, cryptographic checksum, exporting to a serial device,
etc). We believe this capability would
be a benefit not only to law enforcement, but also to all of DoD
in support of the GIG information assurance objectives.